the geometry of lattice cryptography - uniurb · 2011. 10. 25. · point lattices lattice...

Point LatticesLattice Cryptography

The Geometry of Lattice Cryptography

Daniele Micciancio

Department of Computer Science and EngineeringUniversity of California, San Diego

August 29-30, 2011 (FOSAD ’11 – Bertinoro, Italy)

Daniele Micciancio The Geometry of Lattice Cryptography

Cryptography, Complexity and Lattices

Cryptography: exploiting hard computational problems to buildcomputer systems that are hard to break.

Good news

There are plenty of hardcomputational problems incomputer science.

Bad news

Finding cryptographicallyuseful hard problemsseems hard.

Cryptography requires problems that

are very hard to solve: solution should take enormous time

are hard to solve on average, even with small probability

have extra features, e.g., trapdoors, regularity, etc.

Good news

Bad news

Good news

Bad news

Good news

Bad news

Good news

Bad news

Good news

Bad news

Point Lattices and Cryptography

Lattice problems

appear to be very hard (solution takes exponential time),

have been widely studied by mathematicians since 19thcentury (Lagrange, Gauss, Dirichlet, . . . ),

provably yield hard on average problems, from worst-casecomplexity assumptions.

Lattice related constructions and cryptographic functions

have many useful features (linearity, trapdoors, etc.),

are efficient and easy to implement, typically involving onlysimple arithmetic operations on small numbers.

Lattice problems

Ajtai’s function

Definition (Ajtai’s function)

fA(x) = Ax mod q where A ∈ Zn×mq and x ∈ 0, 1m

x ∈ 0, 1m 0 1 1 0 1 0 0 (q = 10)

A ∈ Zn×mq

1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9

y = Ax ∈ Znq

Security (One-wayness)

Given A and y, it is hard to find x ∈ 0, 1m s.t. fA(x) = y.

Ajtai’s function

x ∈ 0, 1m 0 1 1 0 1 0 0 (q = 10)

A ∈ Zn×mq

1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9

y = Ax ∈ Znq

Ajtai’s function

x ∈ 0, 1m 0 1 1 0 1 0 0 (q = 10)

A ∈ Zn×mq

1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9

y = Ax ∈ Znq

Outline

1 Point LatticesComputational ProblemsThe dual lattice

2 Lattice CryptographyAverage Case HardnessRandom LatticesCryptographic functions

Computational ProblemsThe dual lattice

Outline

Point Lattices

The simplest example of lattice is Zn = (x1, . . . , xn) : xi ∈ ZOther lattices are obtained by applying a linear transformation

B : x = (x1, . . . , xn) 7→ Bx = x1 · b1 + · · ·+ xn · bn

Point Lattices

The simplest example of lattice is Zn = (x1, . . . , xn) : xi ∈ ZOther lattices are obtained by applying a linear transformation

B : x = (x1, . . . , xn) 7→ Bx = x1 · b1 + · · ·+ xn · bn

(1, 0)

(0, 1)

Lattices and Bases

A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = b1, . . . ,bn ⊂ Rn:

L =n∑

bi · Z = Bx : x ∈ Zn

The same lattice has many bases

L =n∑

ci · Z

Definition (Lattice)

A discrete additive subgroup of Rn

Lattices and Bases

L =n∑

ci · Z

Lattices and Bases

L =n∑

ci · Z

Lattices and Bases

L =n∑

ci · Z

Minimum Distance and Successive Minima

Minimum distance

λ1 = minx,y∈L,x6=y

‖x− y‖

= minx∈L,x6=0

‖x‖

Successive minima (i = 1, . . . , n)

λi = minr : dim span(B(r) ∩ L) ≥ i

Examples

Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn

Minimum distance

‖x− y‖

= minx∈L,x6=0

‖x‖

Examples

Minimum distance

‖x− y‖

= minx∈L,x6=0

‖x‖

Examples

Minimum distance

‖x− y‖

= minx∈L,x6=0

‖x‖

Examples

λ1λ2

Minimum distance

‖x− y‖

= minx∈L,x6=0

‖x‖

Examples

λ1λ2

Distance Function and Covering Radius

Distance function

µ(t,L) = minx∈L‖t− x‖

Covering radius

µ(L) = maxt∈span(L)

µ(t,L)

Spheres or radius µ(L) centeredaround all lattice points cover thewhole space

Distance function

Covering radius

µ(t,L)

Distance function

Covering radius

µ(t,L)

Distance function

Covering radius

µ(t,L)

Distance function

Covering radius

µ(t,L)

Bounding the covering radius

Let V = [v1, . . . , vn] be linearlyindependent, ‖vi‖ ≤ λnTile Rn with copies ofP(V) = V[0, 1)n

If t ∈ x + P(V), then

‖t− x‖ ≤∑‖vi‖ ≤ nλn.

This proves µ(L) ≤ nλn(L), andcan be further improved:

Theorem

For any lattice L, µ(L) ≤√n2 λn(L)

‖t− x‖ ≤∑‖vi‖ ≤ nλn.

Theorem

‖t− x‖ ≤∑‖vi‖ ≤ nλn.

Theorem

‖t− x‖ ≤∑‖vi‖ ≤ nλn.

Theorem

‖t− x‖ ≤∑‖vi‖ ≤ nλn.

Theorem

Bounding the successive minima

Let ‖b1‖ = λ1(L)

Let t = 12b1

Then µ(t,L) ≥ λ1/2

This proves λ1(L) ≤ 2µ(L), and canbe further improved:

Theorem

For any lattice L, λn(L) ≤ 2µ(L)

Let ‖b1‖ = λ1(L)

Let t = 12b1

Theorem

Let ‖b1‖ = λ1(L)

Let t = 12b1

Theorem

Let ‖b1‖ = λ1(L)

Let t = 12b1

Theorem

Let ‖b1‖ = λ1(L)

Let t = 12b1

Theorem

Relations among lattice parameters

Theorem

For any lattice L, λ1 ≤ λ2 ≤ . . . ≤ λn ≤ 2µ ≤√

Remarks:

1 µ ≈ λn (up to√

n factors)

2 For some lattices λ1 λ2 . . . λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =

√nλn

4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn

Problem

Give an explicit construction of a lattice satisfying µ ≤ 2λ1

Theorem

Remarks:

n factors)

√nλn

Problem

Theorem

Remarks:

n factors)

√nλn

Problem

Theorem

Remarks:

n factors)

√nλn

Problem

Theorem

Remarks:

n factors)

√nλn

Problem

Theorem

Remarks:

n factors)

√nλn

Problem

Determinant

Definition (Determinant)

det(L) = volume of the fundamental region P =∑

i bi · [0, 1)

Different bases define differentfundamental regions

All fundamental regions have the samevolume

The determinant of a lattice can beefficiently computed from any basis.

Determinant

i bi · [0, 1)

Determinant

i bi · [0, 1)

Determinant

i bi · [0, 1)

Density estimates

Definition (Centered Fundamental Parallelepiped)

P =∑

i bi · [−1/2, 1/2)

vol(P(B)) = det(L)

x + P(B) | x ∈ L partitions Rn

For all sufficiently large S ⊆ Rn

|S ∩ L| ≈ vol(S)/ det(L)

Density estimates

P =∑

i bi · [−1/2, 1/2)

vol(P(B)) = det(L)

Density estimates

P =∑

i bi · [−1/2, 1/2)

vol(P(B)) = det(L)

Minkowski’s convex body theorem

Theorem (Convex Body)

Let C ⊂ Rn be a symmetric convex body. If vol(C ) > 2n, then Ccontains a nonzero integer vector

C = B−1[−r , r ]n has volumedet(B)−1(2r)n = 2n

C contains x ∈ Zn \ 0BC = [−r , r ]n contains Bx

λ1(L) ≤√

nr =√

n det(L)1/n

Let L = BZn and r = det(L)1/n. Then,

λ1(L) ≤√

nr =√

n det(L)1/n

λ1(L) ≤√

nr =√

n det(L)1/n

λ1(L) ≤√

nr =√

n det(L)1/n

λ1(L) ≤√

nr =√

n det(L)1/n

λ1(L) ≤√

nr =√

n det(L)1/n

Minkowski’s second theorem

Theorem (Minkowski)

λ1(L) ≤

λi (L)

≤√

n det(L)1/n

For Zn, λ1 = (∏

i λi )1/n = 1 is smaller than Minkowski’s

bound by√

λ1(L) can be arbitrarily smaller than Minkowski’s bound

i λi (L))1/n is never smaller than Minkowski’s bound bymore than

Can you find lattices with (∏

i λi (L))1/n ≥ Ω(√

n) det(L)1/n

within a constant from Minkowski’s bound?

Theorem (Minkowski)

λ1(L) ≤

λi (L)

≤√

n det(L)1/n

For Zn, λ1 = (∏

bound by√

i λi (L))1/n ≥ Ω(√

n) det(L)1/n

Theorem (Minkowski)

λ1(L) ≤

λi (L)

≤√

n det(L)1/n

For Zn, λ1 = (∏

bound by√

i λi (L))1/n ≥ Ω(√

n) det(L)1/n

Theorem (Minkowski)

λ1(L) ≤

λi (L)

≤√

n det(L)1/n

For Zn, λ1 = (∏

bound by√

i λi (L))1/n ≥ Ω(√

n) det(L)1/n

Theorem (Minkowski)

λ1(L) ≤

λi (L)

≤√

n det(L)1/n

For Zn, λ1 = (∏

bound by√

i λi (L))1/n ≥ Ω(√

n) det(L)1/n

Outline

Shortest Vector Problem

Definition (Shortest Vector Problem, SVP)

Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ λ1

Bx = 5b1 − 2b2

Definition (Shortest Vector Problem, SVPγ)

Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ γλ1

Bx = 5b1 − 2b2

Shortest Independent Vectors Problem

Definition (Shortest Independent Vectors Problem, SIVP)

Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn

Definition (Shortest Independent Vectors Problem, SIVPγ)

Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ γλn

Closest Vector Problem

Definition (Closest Vector Problem, CVP)

Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ µ from the target

Definition (Closest Vector Problem, CVPγ)

Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ γµ from the target

tµ 2µ

NP-hardness of CVP

Definition (Subset Sum)

Given a1, . . . , an, b ∈ Z find S ⊆ 1, . . . , n s.t.∑

i∈S ai = b

Theorem

‖Bx− t‖ ≤√

n if and only if x ∈ 0, 1n and∑

xi=1 ai = b.

NP-hardness of CVP

i∈S ai = b

Theorem

‖Bx− t‖ ≤√

xi=1 ai = b.

NP-hardness of CVP

i∈S ai = b

a1 · · · an2 0 0

0. . . 0

b1...1

Bx−t =

i aixi − b2x1 − 1

...2xn − 1

Theorem

‖Bx− t‖ ≤√

xi=1 ai = b.

NP-hardness of CVP

i∈S ai = b

a1 · · · an2 0 0

0. . . 0

b1...1

Bx−t =

i aixi − b2x1 − 1

...2xn − 1

Theorem

‖Bx− t‖ ≤√

xi=1 ai = b.

Complexity of CVP, SVP, SIVP

Cryptography

NPC coNP/coAM P/RPγ

1 no(1)√

Best algorithm for exact solution takes time 2n [MV10]

(Almost) NP-hard for factors up to γ = n1/loglogn.[Ajtai96,. . . ,HR07]

Polynomial time for slightly subexponential γ[Schnorr93+AKS01,GN08+MV10]

Unlikely to be NP-hard for γ ≥√

n/ log n [GG01,AR04]

Cryptography

1 no(1)√

Cryptography

1 no(1)√

Cryptography

1 no(1)√

Cryptography

1 no(1)√

CVP and lattice cosets

Lattice Λ, target t

CVP: Find v such thate = t− v is shortest possible

t′ = t + Bx

v = v′ − Bx

Definition (Coset CVP)

Given a lattice coset t + L, findthe (approximately) shortestelement of t + L.

t′ = t + Bx

v = v′ − Bx

t′ = t + Bx

v = v′ − Bx

t′ = t + Bx

v = v′ − Bx

t′ = t + Bx

v = v′ − Bx

t′ = t + Bx

v = v′ − Bx

Working modulo a lattice

Definition (Fundamental Region)

D ⊂ Rn is a fundamental region for L if D + x | x ∈ L is apartition of Rn.

(L,+) is a subgroup of (Rn,+)

One can form the quotien group Rn/LElements of Rn/L are cosets t + LAny fundamental region D gives a setof standard representatives

P =∑

i bi · [0, 1) ≡ Rn/L

P =∑

i bi · [0, 1) ≡ Rn/L

P =∑

i bi · [0, 1) ≡ Rn/L

P =∑

i bi · [0, 1) ≡ Rn/L

Interlude: CVP One-way Function?

Candidate OWF

Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L

β < λ1/2: fL is injective

β > λ1/2: fL is not injective

β ≥ µ: gL is surjective

β µ: gL(x) is almostuniform

Question

Is fL hard to invert?

Candidate OWF

Question

Candidate OWF

Question

Candidate OWF

Question

Candidate OWF

Question

Candidate OWF

Question

Candidate OWF

Question

Outline

The Dual

A vector space over R is a set of vectors V with

a vector addition operation x + y ∈ Va scalar multiplication a · x ∈ V

The dual of a vector space V is the set V ∗ = Hom(V ,R) oflinear functions φ : V → R, typically represented as vectorsx ∈ V , where φx(y) = 〈x, y〉The dual of a lattice Λ is defined similarly as the set of linearfunctions φx : Λ→ Z represented as vectors x ∈ span(Λ).

Definition (Dual lattice)

The dual of a lattice Λ is the set of all vectors x ∈ span(Λ) suchthat 〈x, v〉 ∈ Z for all v ∈ Λ

The Dual

Dual lattice: Examples

Integer lattice (Zn)∗ = Zn

Rotating (RΛ)∗ = R(Λ∗)

Scaling ( 1q · Λ)∗ = q · Λ∗

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Operations on x ∈ Λ andy ∈ Λ∗:

〈x, y〉 ∈ Zbut x + y has nogeometric meaning

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Properties of dual:

Λ1 ⊆ Λ2 ⇐⇒ Λ∗1 ⊇ Λ∗

(Λ∗)∗ = Λ

Lattice Layers

Each dual vector v ∈ L∗,partitions the lattice L intolayers orthogonal to v

Li = x ∈ L | x · v = i

Layers are at distance 1/‖v‖ρ(L) ≥ 1

2‖v‖

If λ1(L∗) is small, then ρ(L)is large.

Lattice Layers

Li = x ∈ L | x · v = i

2‖v‖

Lattice Layers

Li = x ∈ L | x · v = i

2‖v‖

Lattice Layers

Li = x ∈ L | x · v = i

2‖v‖

Transference Theorems

Theorem (Banaszczyk)

For any lattice L

1 ≤ 2λ1(L) · ρ(L∗) ≤ n.

Theorem (Banaszczyk)

For every i ,1 ≤ λi (L) · λn−i+1(L∗) ≤ n.

Approximating λ1(L) within a factor n is in NP ∩ coNP

Same is true for λi , . . . , λn and ρ.

CVP and dual lattice

Lattice Λ, target t = v + e

Dual lattice Λ∗ = L(D).

Syndrome of t:

s = 〈D, t〉 mod 1

= 〈D, v〉+ 〈D, e〉 mod 1

= 〈D, e〉 mod 1.

All vectors in a coset t + Lhave the same syndrome.

Definition (Syndrome CVP)

Find shortest e such that〈D, e〉 = s mod 1

Syndrome of t:

s = 〈D, t〉 mod 1

= 〈D, v〉+ 〈D, e〉 mod 1

= 〈D, e〉 mod 1.

Syndrome of t:

s = 〈D, t〉 mod 1

= 〈D, v〉+ 〈D, e〉 mod 1

= 〈D, e〉 mod 1.

Syndrome of t:

s = 〈D, t〉 mod 1

= 〈D, v〉+ 〈D, e〉 mod 1

= 〈D, e〉 mod 1.

Syndrome of t:

s = 〈D, t〉 mod 1

= 〈D, v〉+ 〈D, e〉 mod 1

= 〈D, e〉 mod 1.

Syndrome of t:

s = 〈D, t〉 mod 1

= 〈D, v〉+ 〈D, e〉 mod 1

= 〈D, e〉 mod 1.

Average Case HardnessRandom LatticesCryptographic functions

Outline

Back to CVP One-way function

Candidate OWF

Key: a hard lattice L(D)∗

Input: x, ‖x‖ ≤ βOutput: fD(x) = Dx mod 1

β ≥ µ: gL is surjectivefD

Special Versions of CVP

Definition (Decisional CVP)

Given (L, t, d), with µ(t,L) ≤ d , find a lattice point withindistance d from t.

If d is arbitrary, then one can find the closest lattice vector bybinary search on d .

Bounded Distance Decoding, BDD: If d < λ1(L)/2, thenthere is at most one solution. Solution is the closest latticevector.

Absolute Distance Decoding, ADD: If d ≥ ρ(L), then there isalways at least one solution. Solution may not be closestlattice vector.

ADD reduces to SIVP

ADD input: L and arbitrary t

Compute short vectors V = SIVP(L)

Use V to find a lattice vector within distance∑i12‖vi‖ ≤ (n/2)λn ≤ nρ from t

ADD reduces to SIVP

BDD reduces to SIVP

BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t

Output L1 ∩ L2 ∩ · · · ∩ Ln

Output is correct as long as

µ(t,L) ≤ λ12n≤ 1

2λ∗n≤ 1

2‖vi‖

BDD reduces to SIVP

Output L1 ∩ L2 ∩ · · · ∩ Ln

µ(t,L) ≤ λ12n≤ 1

2λ∗n≤ 1

2‖vi‖

BDD reduces to SIVP

Output L1 ∩ L2 ∩ · · · ∩ Ln

µ(t,L) ≤ λ12n≤ 1

2λ∗n≤ 1

2‖vi‖

BDD reduces to SIVP

Output L1 ∩ L2 ∩ · · · ∩ Ln

µ(t,L) ≤ λ12n≤ 1

2λ∗n≤ 1

2‖vi‖

BDD reduces to SIVP

Output L1 ∩ L2 ∩ · · · ∩ Ln

µ(t,L) ≤ λ12n≤ 1

2λ∗n≤ 1

2‖vi‖

Special Versions of SVP and SIVP

GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector

GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors

Transference Theorem λ1 ≈ 1/λ∗n: GapSVP can be(approximately) solved by solving GapSIVP in the dual lattice,and vice versa

Problems

Exercise: Computing λ1 (or λn) exactly is as hard as SVP (orSIVP)Open Problem: Reduce approximate SVP (or SIVP) toapproximate GapSVP (or GapSIVP)

Problems

Relations among lattice problems

SIVP ≈ ADD [MG’01]

SVP ≤ CVP [GMSS’99]

SIVP ≤ CVP [M’08]

BDD . SIVP

CVP . SVP [L’87]

GapSVP ≈ GapSIVP[LLS’91,B’93]

GapSVP . BDD [LM’09]

GapSVP GapSIVP BDD

SIVP ADD

SVP CVP

Relations among lattice problems

SIVP ≈ ADD [MG’01]

SVP ≤ CVP [GMSS’99]

SIVP ≤ CVP [M’08]

BDD . SIVP

CVP . SVP [L’87]

GapSVP ≈ GapSIVP[LLS’91,B’93]

GapSVP . BDD [LM’09]

GapSVP GapSIVP BDD

SIVP ADD

SVP CVP

Outline

Provable security (from average case hardness)

Example 1: (Rabin) modular squaring

fN(x) = x2 mod N, where N = p · qInverting fN is at least as hard as factoring N

Theorem

fN is cryptographically hard to invert, provided most N = p · q arehard to factor

hard N’s

All N’s

hard fN ’s

All fN ’s

Example 1: (Rabin) modular squaring

fN(x) = x2 mod N, where N = p · qInverting fN is at least as hard as factoring N

Theorem

fN is cryptographically hard to invert, provided most N = p · q arehard to factor

hard N’s

All N’s

hard fN ’s

All fN ’s

Example 2: CVP function

fD(x) = Dx mod 1

Inverting fD is as hard as ADD/BDD in L(D)∗

Theorem

fD is one-way provided ADD/BDD is hard for most L(D)∗

hard D’s

All D’s

hard fD’s

All fD’s

Example 2: CVP function

fD(x) = Dx mod 1

Inverting fD is as hard as ADD/BDD in L(D)∗

Theorem

fD is one-way provided ADD/BDD is hard for most L(D)∗

hard D’s

All D’s

hard fD’s

All fD’s

Average-case Complexity

Average-case complexity depends on input distribution

Example (Factoring problem)

Given a number N, output a, b > 1 such that N = ab

Factoring can be easy on average

if N is uniformly random, then N = 2 · N2 with probability 50%!

Factoring N = pq is believed to be hard when p, q arerandomly chosen primes

How do we know L(D)∗ is a hard distribution for ADD/BDD?

Provable security (from worst case hardness)

There is a probability distribution on D such that

Any fixed lattice L is mapped to a random D

Breaking fD allows to solve ADD/BDD L.

D is also very easy to sample

All lattices

hard fD’s

All lattices

hard fD’s

All lattices

hard fD’s

All lattices

hard fD’s

All lattices

hard fD’s

Outline

Random lattices in Cryptography

Cryptography typically uses (random)lattices Λ such that

Λ ⊆ Zd is an integer latticeqZd ⊆ Λ is periodic modulo a smallinteger q.

Cryptographic functions based on q-arylattices involve only arithmetic modulo q.

Definition (q-ary lattice)

Λ is a q-ary lattice if qZn ⊆ Λ ⊆ Zn

Random lattices in Cryptography

Cryptography typically uses (random)lattices Λ such that

Λ ⊆ Zd is an integer latticeqZd ⊆ Λ is periodic modulo a smallinteger q.

Cryptographic functions based on q-arylattices involve only arithmetic modulo q.

Definition (q-ary lattice)

Λ is a q-ary lattice if qZn ⊆ Λ ⊆ Zn

Examples of q-ary lattices

Examples (for any A ∈ Zn×dq )

Λq(A) = x | x mod q ∈ ATZnq ⊆ Zd

Λ⊥q (A) = x | Ax = 0 mod q ⊆ Zd

Theorem

For any lattice Λ the following conditions are equivalent:

qZd ⊆ Λ ⊆ Zd

Λ = Λq(A) for some A

Λ = Λ⊥q (A) for some A

For any fixed A, the lattices Λq(A) and Λ⊥q (A) are different

Λ⊥q (A) = x | Ax = 0 mod q ⊆ Zd

Theorem

qZd ⊆ Λ ⊆ Zd

Λ⊥q (A) = x | Ax = 0 mod q ⊆ Zd

Theorem

qZd ⊆ Λ ⊆ Zd

Duality of q-ary lattices

The q-ary lattices associated to A are dual (up to scaling)

Λ⊥q (A) = q · Λq(A)∗

Λq(A) = q · Λ⊥q (A)∗

In particular, det(Λq(A)) · det(Λ⊥q (A)) = qn

det(Λ⊥q (A)) ≤ qk

det(Λq(A)) ≥ qn−k

Λ⊥q (A) = q · Λq(A)∗

Λq(A) = q · Λ⊥q (A)∗

Λ⊥q (A) = q · Λq(A)∗

Λq(A) = q · Λ⊥q (A)∗

Non-degenerate Matrices

Definition

Mk,n = A ∈ Zk×nq | AZn

q = Zkq

PrA ∈Mk,n ≥ 1− 1qn−k

Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) are the same distribution

det(Λ⊥q (Mk,n)) = det(Λq(Mn−k,n)) = qk

Minkowki’s bound λ1 ≤√

Theorem

Almost every lattice in Λ⊥q (Mk,n) ≡ Λq(Mn−k,n) satisfies

λ1, . . . , λn, ρ = Θ(√

nqk,n)

Definition

q = Zkq

Theorem

λ1, . . . , λn, ρ = Θ(√

nqk,n)

Definition

q = Zkq

Theorem

λ1, . . . , λn, ρ = Θ(√

nqk,n)

Definition

q = Zkq

Theorem

λ1, . . . , λn, ρ = Θ(√

nqk,n)

Definition

q = Zkq

Theorem

λ1, . . . , λn, ρ = Θ(√

nqk,n)

Definition

q = Zkq

Theorem

λ1, . . . , λn, ρ = Θ(√

nqk,n)

Are q-ary lattices hard?

Question

Are lattice problems on random q-ary lattices hard on average?

GapSVP and GapSIVP are easy!

Why? Just output Minkowki’s bound√

nqk/n!

What about BDD? (Remember BDD ≤ GapSVP.)

BDD may still be hard! Reduction from BDD to GapSVPrequires a wost-case GapSVP oracle.

Are ADD, SIVP, SVP, CVP hard?

Question

nqk/n!

Question

nqk/n!

Question

nqk/n!

Question

nqk/n!

Question

nqk/n!

Ajtai’s function

Keyed function family

fA(x) = Ax mod q

where A ∈ Zn×mq and x ∈ 0, 1m.

x ∈ 0, 1m 0 1 1 0 1 0 0

A ∈ Zn×mq

1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9

Ax ∈ Znq

Ajtai’s function and q-ary lattices

fA(x) = Ax mod q, where x is short

The output of fA(x) is the syndrome of x

Inverting fA(x) is the same as CVP in its syndrome decodingformulation with lattice Λ⊥q (A) and target t ∈ x + Λ⊥q (A)

The q-ary lattice Λ⊥q (A) is the kernel of fA

Finding collisions fA(x) = fA(y) is equivalent to finding shortvectors x− y ∈ Λ⊥q (A)

Parameters

Parameters:

n: main security parameterq = n2 = nO(1) small modulusm = 2n log2 q = O(n log n)e.g., n = 256, q = 216, m = 8192

fA is a compression function

It maps m bits to n log2 q < m bits(e.g., 8192→ 4096)There exist collisions fA(x) = fA(y)

1 . . . q

Question

Is fA collision resistant when A ∈ Zn×mq is chosen at random?

Parameters

Parameters:

1 . . . q

Question

Parameters

Parameters:

1 . . . q

Question

Parameters

Parameters:

1 . . . q

Question

Efficiency issues

q = nO(1), m = 2n log2 q

Let’s lower n = 64, q = 28, m = 1024

fA maps 1024 bits to 512.

Key size: nm log q = O(n2 log2 n) =219 = 64KB

Runtime: nm = O(n2 log n) = 216

arithmetic operations

Still inefficient because of quadraticdependency in n

1 . . . q

Efficiency issues

q = nO(1), m = 2n log2 q

Let’s lower n = 64, q = 28, m = 1024

1 . . . q

Efficiency issues

q = nO(1), m = 2n log2 q

Let’s lower n = 64, q = 28, m = 1024

1 . . . q

Efficiency issues

q = nO(1), m = 2n log2 q

Let’s lower n = 64, q = 28, m = 1024

1 . . . q

Efficient lattice based hashing

Use structured matrix

A = [A(1) | . . . | A(m/n)]

where A(i) ∈ Zn×nq is circulant

A(i) =

a(i)1 a

(i)n · · · a

a(i)2 a

(i)1 · · · a

......

. . ....

a(i)n a

(i)n−1 · · · a

Proposed by [M02], where it is proved that fA is one-wayunder plausible complexity assumptions

Similar idea first used by NTRU public key cryptosystem(1998), but with no proof of security

Wishful thinking: finding short vectors in Λ⊥q (A) is hard, andtherefore fA is collision resistant

A = [A(1) | . . . | A(m/n)]

A(i) =

a(i)1 a

(i)n · · · a

a(i)2 a

(i)1 · · · a

......

. . ....

a(i)n a

(i)n−1 · · · a

A = [A(1) | . . . | A(m/n)]

A(i) =

a(i)1 a

(i)n · · · a

a(i)2 a

(i)1 · · · a

......

. . ....

a(i)n a

(i)n−1 · · · a

A = [A(1) | . . . | A(m/n)]

A(i) =

a(i)1 a

(i)n · · · a

a(i)2 a

(i)1 · · · a

......

. . ....

a(i)n a

(i)n−1 · · · a

Can you find a collision?

1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

−1×

1 0 0 -1 -1 1 1 0 0 0 1 1 1 0 -1 0

1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

−1×

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

−1×

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

−1×

1 1 1 1 -1 -1 -1 -1 0 0 0 0 1 1 1 1

1 4 3 8 6 4 9 0 2 6 4 5 3 2 7 18 1 4 3 0 6 4 9 5 2 6 4 1 3 2 73 8 1 4 9 0 6 4 4 5 2 6 7 1 3 24 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

−1×

Remarks about proofs of security

This function is essentially the compression function of hashfunction LASH, modeled after NTRU

You can still “prove” security based on average caseassumption: Breaking the above hash function is as hard asfinding short vectors in a random lattice Λ([A(1)| . . . |A(m/n)])

. . . but we know the function is broken: The underlyingrandom lattice distribution is weak!

Conclusion: Assuming that a problem is hard on average-caseis a really tricky business!

Back to general lattices

Finding short vectors in Λ⊥q (A) when A is a random “blockcirculant” matrix is easy

What about unstructured random A ∈ Zk×nq ?

Question

Is fA collision resistant when A ∈ Zk×nq is random?

Yes, provided SIVP/ADD/BDD are hard in the worst-case![Ajtai96,...,MR04]

We will give an oversimplified proof sketch, where A ∈ Rk×n

Question

Blurring a lattice

Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.

How much noise is needed? [MR]

‖r‖ ≤ (log n) ·√

n · λn/2

Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈

√nλn.

a ∈ Rn is uniformly distributed.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Blurring a lattice

‖r‖ ≤ (log n) ·√

n · λn/2

√nλn.

Security proof (sketch)

Generate random points ai = vi + ri , wherevi is a random lattice pointri is a random error vector of length ‖ri‖ ≈

√nλn

A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, so

if we can break Ajtai’s function fA, thenwe can find a vector z ∈ −1, 0, 1m such that∑

(vi + ri )zi =∑

aizi = 0

Rearranging the terms yields a lattice vector∑vizi = −

∑rizi

of length at most ‖∑

rixi‖ ≈√

n ·max ‖ri‖ ≈ n · λnDaniele Micciancio The Geometry of Lattice Cryptography

√nλn

(vi + ri )zi =∑

aizi = 0

∑rizi

rixi‖ ≈√

√nλn

(vi + ri )zi =∑

aizi = 0

∑rizi

rixi‖ ≈√

√nλn

(vi + ri )zi =∑

aizi = 0

∑rizi

rixi‖ ≈√

What about efficiency

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

1 -4 -3 -8 6 -4 -9 -0 2 -6 -4 -5 3 -2 -7 -1

8 1 -4 -3 0 6 -4 -9 5 2 -6 -4 1 3 -2 -7

3 8 1 -4 9 0 6 -4 4 5 2 -6 7 1 3 -2

4 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

Theorem (trivial)

Finding collisions on the average is at least as hard as finding shortvectors in the corresponding random lattices

Theorem (LM’07)

Provably collision resistant, assuming the worst case hardness ofapproximating SVP and SIVP over ideal lattices.

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

1 -4 -3 -8 6 -4 -9 -0 2 -6 -4 -5 3 -2 -7 -1

8 1 -4 -3 0 6 -4 -9 5 2 -6 -4 1 3 -2 -7

3 8 1 -4 9 0 6 -4 4 5 2 -6 7 1 3 -2

4 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

Theorem (trivial)

Theorem (LM’07)

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

1 -4 -3 -8 6 -4 -9 -0 2 -6 -4 -5 3 -2 -7 -1

8 1 -4 -3 0 6 -4 -9 5 2 -6 -4 1 3 -2 -7

3 8 1 -4 9 0 6 -4 4 5 2 -6 7 1 3 -2

4 3 8 1 4 9 0 6 6 4 5 2 2 7 1 3

Theorem (trivial)

Theorem (LM’07)

Efficiency of anti-cyclic hashing

Key size: (m/n) · n log q = m · log q = O(n) bits

Anti-cyclic matrix-vector multiplication can be computed inquasi-linear time O(n) using FFT

The resulting hash function can also be computed in O(n)time

For approximate choice of parameters, this can be verypractical (SWIFFT [LMPR])

The hash function is linear: A(x + y) = Ax + Ay

We will see that this can be a feature rather than a weakness

Outline

Hard Random Lattices

Theorem (Ajtai,MR04)

fA is collision resistant, under the assumption that SIVP is hard toapproximate in the worst-case withing a factor γ ≈ n.

Equivalently, ...

Theorem

If ADD is hard to approximate in the worst case within γ ≈ n, thenADD is hard on average for input distribution Λ⊥q (Zn×m

Theorem (R05)

If ADD/SIVP is hard to approximate in the worst case withinγ ≈ n even by quantum algorithms, then BDD is hard on averagefor input distribution Λ⊥q (Zn×m

Equivalently, ...

Theorem

Theorem (R05)

Equivalently, ...

Theorem

Theorem (R05)

One-time signatures

OTS: diginal signature scheme that allows to sign a singlemessage (faster than a full fledged signature scheme)

Global parameters: q-ary lattice A

Secret key: short error vectors S

Public key: syndromes P = AS (Hash of secret key underhomomorphic hash function)

Message: short vector m

Signature: σ = Sm

Verify: Check if σ is short and Pm = Aσ

One-time signatures

Signature: σ = Sm

One-time signatures

Signature: σ = Sm

One-time signatures

Signature: σ = Sm

One-time signatures

Signature: σ = Sm

One-time signatures

Signature: σ = Sm

One-time signatures

Signature: σ = Sm

OTS security

Assume there is an attack to the one-time signature scheme. Thenwe can find collisions to hash function fA as follows.

Generate A, S, P = AS

Sign σ = Sm as requested by attacker

Attacker produces a forgery (m′, σ′)

(Sm′, σ′) is a collision: ASm′ = Pm′ = Aσ′

Note: Adversary cannot output σ′ = Sm′ because A,P, σ do notreveal enough information about S.Note: This scheme [LM08] can be very efficient when implementedwith ideal lattices.

OTS security

Regev (LWE) cryptosystem

n r × A + e p

Parameters:m, n, q ∈ Z,A ∈ Zm×n

Secret key: s ∈ Znq, e ∈ Em

Public key:p = As + e ≈c Zm

Encryptp(m;(r)):

u = rTA

c = rTp + m − r0

Decrypts(u,c) =c − u · s ≈ m.

n r × A + e p

Encryptp(m;(r)):

u = rTA

c = rTp + m − r0

n r × A + e p

Encryptp(m;(r)):

u = rTA

c = rTp + m − r0

n r × A + e p

Encryptp(m;(r)):

u = rTA

c = rTp + m − r0

n r × A + e p

Encryptp(m;(r)):

u = rTA

c = rTp + m − r0

n r × A + e p

Encryptp(m;(r)):

u = rTA

c = rTp + m − r0

The geometry of LWE encryption

n r × A + e p

[A | p]: random q-ary latticewith a planted short vector e

Encryption:(u, c) = [A|p]T r is thesyndrome of r + Λ⊥q ([A|p])

Decryption: use short dualvector e to solve BDDproblem

n r × A + e p

GPV (dual LWE) cryptosystem

m r ⊗ A ⊕ e p

u ⊕ e0 c

Secret key: r ∈ Em

Public key: u = rTA ≈s Zmq

Encryptu(m;e):

p = As + e

c = u · s + e0 + m

Decryptr(p,c) =c − rTp ≈ m.

m r ⊗ A ⊕ e p

u ⊕ e0 c

Encryptu(m;e):

p = As + e

c = u · s + e0 + m

m r ⊗ A ⊕ e p

u ⊕ e0 c

Encryptu(m;e):

p = As + e

c = u · s + e0 + m

m r ⊗ A ⊕ e p

u ⊕ e0 c

Encryptu(m;e):

p = As + e

c = u · s + e0 + m

m r ⊗ A ⊕ e p

u ⊕ e0 c

Encryptu(m;e):

p = As + e

c = u · s + e0 + m

Comparing Regev and GPV encryption

Regev (LWE)

r A e p

GPV (dual LWE)

r A e p

Regev and GPV cryptosystems use the same mathematical objectsA, s, r, e,p,u, c , but operate on them in different roles:

Public key generation ⇐⇒ EncryptionSecret key ⇐⇒ Encryption randomnessPublic key ⇐⇒ Ciphertext

Comparing Regev and GPV encryption

Regev (LWE)

r A e p

GPV (dual LWE)

r A e p

Regev and GPV cryptosystems use the same mathematical objectsA, s, r, e,p,u, c , but operate on them in different roles:

Public key generation ⇐⇒ EncryptionSecret key ⇐⇒ Encryption randomnessPublic key ⇐⇒ Ciphertext

Naive interpretation

The schemes are syntactically similar: Regev and GPVcryptosystems operate on the same mathematical objectsA, s, r, e,p,u, c .

The scheme are semantically different:

Common parameters A ⇐⇒ A Common parameters

secret key s, e ⇐⇒ s, e encryption randomness

encryption randomness r ⇐⇒ r secret key

public key p ⇐⇒ p ciphertext

ciphertext u ⇐⇒ u public key

Naive interpretation

The schemes are syntactically similar: Regev and GPVcryptosystems operate on the same mathematical objectsA, s, r, e,p,u, c .

The scheme are semantically different:

Common parameters A ⇐⇒ A Common parameters

secret key s, e ⇐⇒ s, e encryption randomness

encryption randomness r ⇐⇒ r secret key

public key p ⇐⇒ p ciphertext

ciphertext u ⇐⇒ u public key

The true answer: Lattices and Duality

The schemes are syntactically different: The symbolsA, s, r, e,p,u, c in Regev and GPV cryptosystems representdifferent mathematical objects

The two schemes are semantically equivalent:

Common parameters A ⇐⇒ A′ Common parameters

secret key s, e ⇐⇒ r′ secret key

encryption randomness r ⇐⇒ s′, e′ encryption randomness

public key p ⇐⇒ u′ public key

ciphertext u ⇐⇒ p′ ciphertext

The true answer: Lattices and Duality

The schemes are syntactically different: The symbolsA, s, r, e,p,u, c in Regev and GPV cryptosystems representdifferent mathematical objects

The two schemes are semantically equivalent:

Common parameters A ⇐⇒ A′ Common parameters

secret key s, e ⇐⇒ r′ secret key

encryption randomness r ⇐⇒ s′, e′ encryption randomness

public key p ⇐⇒ u′ public key

ciphertext u ⇐⇒ p′ ciphertext

Trapdoor functions

Theorem (A99,AP09,MP11)

There is an algorithm to efficiently generate a random A ∈ Zn×mq

together with a short basis S ∈ Zm×m of Λ⊥q (A).

Trapdoor function:

Inverting fA is a BDD problem

BDD can be solved with a short dual basis

S can be used as an inversion trapdoor

Injective trapdoor functions can be used for the construction of awide range of other more complex cryptographic primitives.

Trapdoor functions

Theorem (A99,AP09,MP11)

There is an algorithm to efficiently generate a random A ∈ Zn×mq

together with a short basis S ∈ Zm×m of Λ⊥q (A).

Trapdoor function:

Inverting fA is a BDD problem

BDD can be solved with a short dual basis

S can be used as an inversion trapdoor

Injective trapdoor functions can be used for the construction of awide range of other more complex cryptographic primitives.

Conclusion

Lattice cryptography allows to build a wide range of manyother cryptographic primitives (Hierarchical identity basedencryption, Fully homomorphic encryption, and much more)

It has great potential for fast implementation due to simpleoperations and high parallelizability

Most primitives can be described and explained in terms of ahandful of basic geometric concepts

Everything that can be done with number theoretic schemecan be done with lattice crypography as well

Currently the only method known to build fully homomorphicencryption

Not quite ready for use in practice, but moving fast in thatdirection

Open problems: concrete efficiency, security evaluation, etc.

the geometry of lattice cryptography - uniurb · 2011. 10. 25. · point lattices lattice...

Documents

symbolic proofs for lattice-based cryptography ·...

peculiar properties of lattice-based encryption...peculiar...

introduction to modern lattice-based cryptography ·...

lattice based cryptography - sjtu

lattice-based cryptography: security foundations and...

standardizing lattice cryptography · why lattice...

lattice-based cryptography: constructing trapdoors and...

a decade of lattice cryptography

post-quantum lattice-based cryptography - diva...

lattice cryptography for the...

design and implementation of lattice-based cryptography ·...

lattice cryptography in the nist standardization process ·...

lattice cryptography for the internet - cryptology …...

lattice-based cryptography: short integer solution(sis

point groups and lattice geometry

lattice-based cryptography

introduction to modern lattice-based cryptography (part...

duality in lattice cryptography - university of california...

lattice-based cryptography: a practical...

on practical discrete gaussian samplers for lattice-based...